Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Bugzilla can be so annoying sometimes... selinux-policy-3.9.7-19.fc14.noarch slapi-nis-0.21-1.fc14.x86_64 In an IPA v2 context I ran ipa-nis-enable manage then restarted 389-ds and it failed to come back up. After a bit of research and fix-one-find-another I think this is it. What I did was pass each new AVC through audit2allow and installed a local policy to find all the problems. type=AVC msg=audit(1295547915.331:4111): avc: denied { node_bind } for pid=23494 comm="ns-slapd" src=965 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket type=AVC msg=audit(1295548287.301:4113): avc: denied { create } for pid=23543 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295549851.635:4114): avc: denied { create } for pid=23550 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550044.067:4116): avc: denied { connect } for pid=23675 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550136.493:4123): avc: denied { connect } for pid=23682 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550324.494:4126): avc: denied { write } for pid=23809 comm="ns-slapd" name="log" dev=devtmpfs ino=9816 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file type=AVC msg=audit(1295550540.437:4130): avc: denied { sendto } for pid=23933 comm="ns-slapd" path="/dev/log" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550939.062:4133): avc: denied { write } for pid=24055 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550939.065:4134): avc: denied { write } for pid=24055 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
According to Nalin this is an SELinux policy issue.
With the NIS server plugin enabled, the directory server needs to be able to provide an RPC service listening on a privileged port, over both UDP and TCP sockets, and register that service with the local portmapper, which depending on the version used is either contacted over an PF_INET datagram socket or a PF_LOCAL stream socket. I'm not sure why it's attempting to connect to /dev/log, though -- it doesn't try to use syslog.
We have in Rawhide logging_send_syslog_msg(dirsrv_t) I am adding it also to F13/F14/RHEL6.
Looks like it is fixed in selinux-policy-3.9.7-27
I installed it from koji and it seems to have resolved my issues. I'll give it karma once it hits updates-testing.
selinux-policy-3.9.7-28.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.